Configure an SD-WAN Policy Rule

Configure an SD-WAN policy rule to determine how the firewall selects a path for session load and for when the health of the preferred path deteriorates.
An SD-WAN policy rule specifies application(s) and/or service(s) and a traffic distribution profile to determine how the firewall selects the preferred path for an incoming packet that doesn’t belong to an existing session and that matches all other criteria, such as source and destination zones, source and destination IP addresses, and source user. The SD-WAN policy rule also specifies a path quality profile of thresholds for latency, jitter, and packet loss. When one of the thresholds is exceeded, the firewall selects a new path for the application(s) and/or service(s).
When monitoring your SD-WAN traffic, traffic originating from a source behind the hub device is evaluated against the SD-WAN policies pushed to the hub device as it enters the hub device, and because the path selection decision has already been made, the branch device does not evaluate the traffic against its SD-WAN policies as it passes through the branch device to the final target device. Conversely, traffic originating from a source behind the branch device is evaluated against the SD-WAN policies pushed to the branch device and not by hub device. The Panorama™ management server aggregates the logs from both the hub and branch, and for the same traffic, two session entries are displayed but only the SD-WAN device that originally evaluated the traffic contains the SD-WAN details.
In an SD-WAN policy rule, you also specify the devices to which you want Panorama to push the rule.
  1. Select
    Policies
    SD-WAN
    and select the appropriate device group from the
    Device Group
    context drop-down.
  2. Add
    an SD-WAN policy rule.
  3. On the
    General
    tab, enter a descriptive
    Name
    for the rule.
  4. On the
    Source
    tab, configure the source parameters of the policy rule.
    1. Add the
      Source Zone
      or select
      Any
      source zone
    2. Add
      one or more source addresses, set an external dynamic list (EDL), or select
      Any
      Source Address.
    3. Add
      one or more source users or select
      any
      Source User.
  5. On the
    Destination
    tab, configure the destination parameters of the policy rule.
    1. Add
      the
      Destination Zone
      or select
      Any
      destination zone.
    2. Add
      one or more destination addresses, set an EDL, or select
      Any
      Destination Address.
  6. On the
    Application/Service
    tab, select a
    Path Quality
    profile or Create a Path Quality Profile.
  7. Add Applications
    and select one or more applications from the list or select
    Any
    applications. All applications you select are subject to the health thresholds specified in the Path Quality profile you selected. If a packet matches one of these applications and that application exceeds one of the health thresholds in the Path Quality profile (and the packet matches the remaining rule criteria), the firewall selects a new preferred path.
    Add only business-critical applications and applications that are sensitive to path conditions for their usability.
  8. Add Services
    and select one or more services from the list or select
    Any
    services. All services you select are subject to the health thresholds specified in the Path Quality profile you selected. If a packet matches one of these services and that service exceeds one of the health thresholds in the Path Quality profile (and the packet matches the remaining rule criteria), the firewall selects a new preferred path.
    Add only business-critical services and services that are sensitive to path conditions for their usability.
  9. On the
    Path Selection
    tab, select a
    Traffic Distribution
    profile or Create a Traffic Distribution Profile. When an incoming packet (unassociated with a session) matches all the match criteria in the rule, the firewall uses this Traffic Distribution profile to select a new preferred path.
  10. On the
    Target
    tab, use one of the following methods to specify the target firewalls in the device group to which Panorama pushes the SD-WAN policy rule:
    • Select
      Any (target to all devices)
      (the default) to push the rule to all devices. Alternatively, select
      Devices
      or
      Tags
      to specify the devices to which Panorama pushes the SD-WAN policy rule.
    • On the
      Devices
      tab, select one or more filters to restrict the selections that appear in the Name field; then select one or more devices to which Panorama pushes the rule, as in this example:
    • On the
      Tags
      tab,
      Add
      one or more
      Tags
      and select the tag(s) to specify that Panorama push the rule to devices that are tagged with the selected tags, as in this example:
    • If you specified Devices or Tags, you can select
      Target to all but these specified devices and tags
      to have Panorama push the SD-WAN policy rule to all devices except for the specified devices or tagged devices.
  11. Click
    OK
    .
  12. Commit
    and
    Commit and Push
    your configuration changes.
  13. (
    Best Practice
    ) Create a catch-all SD-WAN policy rule to Distribute Unmatched Sessions so that you can control which links any unmatched sessions use and view unmatched sessions in logging and reports in the SD-WAN plugin.
    If you don’t create a catch-all rule to distribute unmatched sessions, the firewall distributes them in round-robin order among all available links because there is no traffic distribution profile for unmatched sessions. Round-robin distribution of unmatched sessions can increase your costs unexpectedly and result in loss of application visibility.
  14. After configuring your SD-WAN policy rules, Create a Security Policy Rule to allow traffic (for example,
    bgp
    as an
    Application
    ) from branches to the internet, from branches to hubs, and from hubs to branches.
  15. (
    Optional
    ) Configure QoS for critical applications.
    If the SD-WAN applications need guaranteed bandwidth capacities or if you do not want other applications taking bandwidth from critical business applications, create QoS rules to control the bandwidth properly.
  16. To automatically set up BGP routing between VPN cluster members, in the SD-WAN plugin, Configure BGP routing between branches and hubs to dynamically route traffic that will be subject to the SD-WAN failover and load sharing.
    Alternatively, if you want to manually configure BGP routing on each firewall or use a separate Panorama template to configure BGP routing (for more control), leave the BGP information in the plugin blank. Instead, configure BGP routing.
  17. Configure NAT for public-facing virtual SD-WAN interfaces.

Recommended For You